Bridging the gap from legacy systems to secure AI innovation

The federal government's recent AI Action Plan represents a pivotal moment in America's technological evolution. Artificial intelligence adoption presents public sector organizations with both unprecedented opportunity and existential risk. The ways the public sector implements AI today will set the stage for future technological progress.

This includes software development – while agencies rush to harness AI's transformative potential, they are facing the reality that AI is generating code faster than traditional security frameworks can evaluate it, dramatically expanding the federal attack surface.

The Federal Security Imperative

A recent study confirms the scope of the challenge facing government agencies. According to GitLab's 2025 executive research report, The Economics of Software Innovation: $750B+ Opportunity at a Crossroads, 85% of senior executives agree that AI will create unprecedented security challenges, with 52% citing cybersecurity threats as their primary worry.

The vulnerability landscape is expanding at an alarming rate, and security analysts project that researchers and organizations will report nearly 50,000 new common vulnerabilities and exposures (CVEs) this year alone. When AI systems introduce additional dependencies and generate more code across federal systems, these vulnerabilities multiply exponentially.

Legacy systems and code that permeate government operations compound the challenge.  Much of the federal technology stack relies on outdated frameworks and memory-unsafe programming languages. These legacy systems often lack compatibility with modern security scanners, creating blind spots that bad actors can exploit.

Stay in the know — Washington Technology’s Insider Membership gives you unmatched access to breaking news, in-depth analysis, and insights that federal contractors can’t afford to miss. Join today for 50% off.

Perhaps most concerning for national security is the shrinking window between vulnerability disclosure and exploitation. Current data shows that attackers exploit over 28% of vulnerabilities within 24 hours of disclosure. Federal agencies cannot afford to operate with traditional remediation timelines.

Federal Software Supply Chain Resilience

The challenge facing federal agencies extends beyond conventional cybersecurity into the realm of software supply chain security. When AI generates code across multiple repositories simultaneously, fundamental questions about assets, processes, and areas with greater potential risk become more complex and challenging to answer.

This visibility challenge requires a layered approach that moves from inventory to oversight to action. To maintain visibility across the software supply chain, consider implementing:

• Asset visibility and control: Federal agencies must maintain comprehensive inventories of their software components, including detailed software bill of materials (SBOM) that provide transparency into third-party and open-source dependencies.
• Agency-wide risk assessment: Security cannot remain siloed within individual programs or departments. Teams need unified dashboards to understand asset coverage, surface gaps, and take action, especially when AI is accelerating development across entire portfolios.
• Continuous threat monitoring: Continuous vulnerability scanning addresses critical gaps by automatically monitoring code repositories and cross-referencing existing SBOMs against newly published CVEs. This is particularly valuable in AI-accelerated environments, where code generation can create sprawling codebases that teams may later deprioritize.
• Precise remediation: Code from other libraries that is automatically pulled in often accounts for a significant portion of an application's code. When vulnerabilities are discovered in complex dependency chains, teams lack visibility into how vulnerable packages were introduced through multiple layers. Dependency path tracing reveals the complete route from top-level dependencies to vulnerable packages, enabling teams to quickly identify the correct fixes.

While these supply chain security measures provide essential visibility and control, they represent only part of the solution. The most critical challenge facing federal agencies is scaling these security practices to match the velocity of AI-driven development, while simultaneously addressing the vulnerabilities inherited from decades of legacy systems.

Secure Governance for AI-Accelerated Development

Federal agencies face the dual imperative of modernizing legacy codebases while implementing governance frameworks that can scale with AI-driven development cycles. Traditional security governance relies on manual oversight and periodic reviews that can’t keep pace with either challenge, requiring a shift to proactive, platform-embedded governance that addresses both legacy vulnerabilities and AI-accelerated development.

The core principles of secure AI development need to be extended across the entire development lifecycle to build comprehensive protection. These platform-native controls ensure security governance scales automatically with development velocity, enabling federal agencies to harness AI's acceleration without sacrificing enterprise security requirements.

For agencies handling sensitive national security information, these governance frameworks must operate entirely within agency-controlled environments, whether in classified facilities, private clouds, or highly regulated environments. This approach enables agencies to harness AI-powered development tools while maintaining complete data sovereignty.

By embedding these governance principles directly into their development platforms, federal agencies can ensure that security scales automatically with AI-accelerated development, eliminating the traditional trade-off between speed and security.

Leading Through Secure Innovation

Federal agencies stand at a crossroads. The path forward requires secure, compliant frameworks that enable organizations to harness AI's full potential.

With 94% of organizations achieving return on investment from AI within two years, there's no time to waste. By enabling secure and ethical AI deployments, the government can establish standards and gain a lasting competitive advantage. The future of technological leadership, in both the public and private sectors, hinges on striking this balance effectively.

Rob Smith is area vice president for public sector at GitLab.